Predator spyware Aladdin zero-click ad-delivery
Malware Activity
Summary
Hide ▲
Show ▼
Predator spyware from Intellexa is using Aladdin, a zero-click ad-based infection path, to compromise selected targets without requiring a click. The activity matters because the malicious ads can trigger infection simply by being viewed, making delivery harder to detect and block. The mechanism was first deployed in 2024 and is believed to still be operational and actively developed. The infection flow also shows how commercial ad infrastructure can be weaponized for covert spyware delivery.
Related Happenings
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
ZeroDayRAT mobile spyware advertisement
Malware Activity
First: 10.02.2026 15:00
Last: 10.02.2026 15:00
Sources 1
About this happening:
The **ZeroDayRAT** mobile spyware platform is being advertised on **Telegram** as a commercial toolkit for **Android** and **iOS** devices, with support for **Android 5 through 16...
ZeroDayRAT mobile spyware advertisement
Malware ActivityAbout this happening: The **ZeroDayRAT** mobile spyware platform is being advertised on **Telegram** as a commercial toolkit for **Android** and **iOS** devices, with support for **Android 5 through 16...
MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
First: 04.02.2026 09:42
Last: 04.02.2026 09:42
Sources 1
About this happening:
**macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacOS infostealer campaign using fake ads and ClickFix lures
CampaignAbout this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
Android click-fraud trojans using TensorFlow.js to automate hidden ad taps
Malware Activity
First: 22.01.2026 00:07
Last: 22.01.2026 00:07
Sources 1
About this happening:
The **Android click-fraud trojan family** now uses **TensorFlow.js** to identify and tap ad elements on **Android devices**, making fraudulent clicks more adaptive and harder to s...
Android click-fraud trojans using TensorFlow.js to automate hidden ad taps
Malware ActivityAbout this happening: The **Android click-fraud trojan family** now uses **TensorFlow.js** to identify and tap ad elements on **Android devices**, making fraudulent clicks more adaptive and harder to s...
Intellexa Predator spyware delivery and device-data exfiltration
Malware Activity
First: 05.12.2025 13:47
Last: 05.12.2025 13:47
Sources 1
About this happening:
Intellexa's **Predator** spyware was used in a **new 1-click targeting attempt** against a **civil society lawyer in Pakistan**, underscoring continued mobile surveillance operati...
Intellexa Predator spyware delivery and device-data exfiltration
Malware ActivityAbout this happening: Intellexa's **Predator** spyware was used in a **new 1-click targeting attempt** against a **civil society lawyer in Pakistan**, underscoring continued mobile surveillance operati...
Timeline
-
04.12.2025 22:47 2 articles · 5mo ago
Intellexa Predator Aladdin zero-click ad delivery disclosed
Initial DisclosureIntellexa's Predator spyware was reported as using Aladdin, a zero-click infection mechanism that compromised specific targets by simply viewing a malicious advertisement. The delivery path leverages commercial mobile advertising infrastructure, including a Demand Side Platform, and the leaked material says Aladdin was first deployed in 2024 and is believed to remain operational and actively developed. The disclosure also ties the mechanism to leaked internal Intellexa documents and to corroborating technical research from Amnesty International, Google, and Recorded Future.
Show sources
- Predator spyware uses new infection vector for zero-click attacks — www.bleepingcomputer.com — 04.12.2025 22:47
- Predator spyware uses new infection vector for zero-click attacks — www.bleepingcomputer.com — 04.12.2025 22:47